@joxean @UncleDuke1969 We have this saying that you should try everything in life except incest and folk dancing #NoKinkShaming

So, I have actually read the text of California law CA AB1043 and, honestly, I don't hate it. It requires operating systems to let you enter a date when you create a user account and requires a way for software to get a coarse-grained approximation of this that says either 'over 18' or one of three age ranges of under-18s. Importantly, it doesn't require:

• Remote attestation.
• Tamper-proof storage of the age.
• Any validation in the age.

In short, it's a tool for parents: it allows you to set the age of a child's account so that apps (including web browsers, which can then expose via JavaScript or whatever) can ask questions about what features they should expose.

In a UNIX-like system, this is easy to do, with a tiny amount of new userspace things:

• Define four groups for the four age ranges (ideally, standardise their names!).
• Add a /etc/user_birthdays file (or whatever name it is) that stores pairs of username (or uid) and birthdays.
• Add a daily cron job that checks the above file and updates group membership.
• Modify user-add scripts / GUIs to create an entry in the above file.
• Add a tool to create an entry in the above file for existing user accounts.

This doesn't require any kernel changes. Any process can query the set of groups that the user is in already.

If a parent wants to give their child root, they can update the file and bypass the check. And that's fine, that's a parent's choice. And that's what I want.

I like this approach far more than things that require users to provide scans of passports and other toxically personal information to be able to use services. If we had this feature, then the Online Safety Act could simply require that web browsers provide a JavaScript API to query the age bracket and didn't work unless it returned 'over 18'.

*Screams in 53-bit numbers*

"Enemy missile took out a central processing unit. [...] We've got a mirror going of course, and we'll have it all up and running again in no time flat. You're just free-floating here for a couple of nanoseconds, while we get UAE processing again."

coping with interstellar medium looks like the better alternative these days

Three years ago I blogged about #nuget serving outdated #curl packages.

They then removed the packages I found.

I checked nuget again *today* and immediately found a nine year old curl package that is downloaded at the rate of 1,000 times/week from there... with **64** known vulnerabilities.

The blog post from back then: https://daniel.haxx.se/blog/2023/03/02/the-curl-nuget-story/

Samsung is an ad delivery network that, as a side effect, produces electronic devices and appliances.

@joern RIP FX. Lets remember him in the good old days https://media.ccc.de/search?p=FX

@mcc @cxiao Maybe you can hack a sensor into @joeycastillo's SensorWatch for compass? https://www.sensorwatch.net/

A friend, @chloetankahhui has been speaking up against the proposal to enforce age verification at the OS level, and the QRTs to this shows the extent of naivety that a lot of people have.

No one who does hardware security believes that any system is bulletproof, but do you really think that circumventing these things will always be a simple firmware mod or hardware hack?

Let's dive in. /1

What's the EU alternative to Let's Encrypt? I see that Actalis is in the default trust store and has an free ACME service, except that it will only do single domain certs so it won't work for my nginx proxy that handles all the TLS.

@0x0sojalsec shared a new repo: "Pre-built Jailbroken iOS 26 iPhone fully runs on VM✨

Full virtual iPhone ready-to-run jailbroken iPhone (rootless + Sileo + Filza + TrollStore vibes).

Just download, Test tweaks, exploit PoCs, and debug without touching your daily driver.😗"

https://github.com/34306/vphone-aio

#jailbreak #ios #ios26 #vphone #iphone

Lands of Packets

TTL exceeded.

I would like to collect texts from the scene about FX in his memory. A collection of obituaries that will then be posted on phenoelit.de.

If anyone would like to contribute, please contact me.

Mail: joernchen@phenoelit.de
Signal: jrn.07

I genuinely think the worst thing the internet did to reading was convince people that finishing books is a competitive sport. You don't need to read 52 books a year. You just need to read. Books you like. At your own pace. And think about them for longer than a TikTok video.

Multiple people left my team (a Red Team in the Netherlands, in a big company understanding that security is important). They leave because of personal things (family is far, family problems, etc; of course, we wish them the best). So, we are once again hiring!
Anyone’s interested?
The team is based in Amsterdam. Relocation should be ok (They relocated me). Language is English, no need of being in perfect in English.

Minorities preferred. (Currently I’m the only technical non-man, but, maybe we’ll be more soon!)

#jobalert #job #pentest #redteam #amsterdam

EDIT: no public job offer yet, but I’ll try to keep this post updated

New Project Zero issue:

Adobe DNG SDK: integer overflow in dng_ref_counted_block::Allocate leads to memory corruption on 32-bit platforms

https://project-zero.issues.chromium.org/issues/467941645

CVE-2026-21353

New Project Zero issue:

Adobe DNG SDK: missing allocation check leads to an arbitrary memory write in JXL format processing

https://project-zero.issues.chromium.org/issues/464250765

CVE-2026-21352

New Project Zero issue:

Adobe DNG SDK: multiple integer arithmetic issues in embedded JXL image support

https://project-zero.issues.chromium.org/issues/463335147

CVE-2026-21354

@thedarktangent

Lands of Packets

TTL exceeded.

I would like to collect texts from the scene about FX in his memory. A collection of obituaries that will then be posted on phenoelit.de.

If anyone would like to contribute, please contact me.

Mail: joernchen@phenoelit.de
Signal: jrn.07